CVE-2026-33658 - Fix possible DoS vulnerability in proxy mode via multi-range requests.
CVE-2026-33202 — Fix possible glob injection in DiskService.
CVE-2026-33195 — Fix possible path traversal in DiskService.
CVE-2026-33174 - Fix possible DoS vulnerability in proxy mode via Range requests.
CVE-2026-33173 — Fix insufficient filtering of metadata in direct uploads.

Active Support

CVE-2026-33176 — Fix possible DoS vulnerability in number helpers.
CVE-2026-33170 — Fix possible XSS vulnerability in SafeBuffer#%.
CVE-2026-33169 — Fix possible ReDoS vulnerability in number_to_delimited.

6.1.7.34

Released Mar 4, 2026

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.22.10.

October 2025

6.1.7.33

Released Oct 30, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.20.11.

6.1.7.32

Released Oct 13, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.20.10.

6.1.7.31

Released Oct 10, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.19.10.

6.1.7.30

Released Oct 2, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.18.10.

August 2025

6.1.7.29

Released Aug 20, 2025

CVE-2025-55193

CVE-2025-24293

Bug Fixes

Active Record

CVE-2025-55193 - Call inspect on ids in RecordNotFound error.

Active Storage

CVE-2025-24293 - Remove dangerous transformations.

June 2025

6.1.7.28

Released Jun 17, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.17.10.

May 2025

6.1.7.27

Released May 14, 2025

Notes

No changes in Rails.
Bumped Rack version requirement to version 2.2.14.10.

March 2025

6.1.7.26

Released Mar 17, 2025

Notes

Bumped Rack version requirement to version 2.2.13.10.
Removed the railslts-version gem.

February 2025

6.1.7.21

Released Feb 10, 2025

Notes

This is the initial release of Never-Ending Support (NES) for Rails v6.1.x.

Bug Fixes

Action Mailer

CVE-2024-47889 – Avoid regex backtracking in block_format helper.

Action Pack

CVE-2024-54133 – Fixed a possible Content Security Policy bypass in Action Dispatch.
CVE-2024-47887 – Fixed a possible ReDoS vulnerability in HTTP Token authentication in Action Controller.
CVE-2024-41128 – Fixed a possible ReDoS vulnerability in query parameter filtering in Action Dispatch.

Action Text

CVE-2024-47888 – Fixed a possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team